Internal Audit Process : Ensuring compliances and Finding Non-conformities
The sole purpose of the internal audit is to check compliance with the documented organization ISMS requirements. Internal auditing is a key component and essential for ISO 27001 compliance. Therefore internal audits need to be carried out regularly, and effectively at planned intervals. Internal audits help identify and rectify any issues of the ISMS before an external certification audit is carried out for ISO 27001 certification. It also identifies non-conformities and opportunities for improvement. Conducting internal audits reassure the organization and external auditor that a continuous review of the ISMS is done. It also reminds the employees of their responsibilities to comply with ISMS requirements for the protection of organizational information assets.
An internal audit is a systematic and planned process that reviews the 114 controls in Annex A. They are identified in a statement of applicability for compliance with ISO 27001 standards. Internal auditing is a time-consuming process that requires a thorough review of policies, procedures, existing processes, and practices. It's a team effort that requires sharing of the security controls based on the skills and experiences of auditors.
For instance, an auditor with an IT background will focus on:
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operational security
- A.13 Communications Security
- A.14 System acquisition, development, and maintenance
- A.5 Information security policies
- A.6 Organization of information security
- A.7 Human resources security
- A.8 Asset management
- A.15 Supplier relationships
- A.16 Incident management
- A.17 Business continuity management
- A.18 Compliance
It's possible to have overlapping functions of business and technology, which require auditor collaboration. The audit team must prepare well before conducting the audit. The Statement of Applicability (SOA) is the central document for conducting the internal audit. The audit team must ensure that all information is available including previous audit findings, organization procedures, and policies.
The internal audit procedure should define who is responsible for performing the audit, the audit process, the main rules for performing the audit, etc.
The following document(s) are needed to handle internal audits
- Internal audit procedure
- Audit program
- Internal Audit Plan
The audit program should define a series of individual audits while defining activities during an individual audit is done through the audit plan. The audit program is typically made for 1 to 3 years. The audit program should contain methods used for auditing.
The audit plan should define the details of each audit.
The options to organize the internal audit are:
- Department by department
- Clause by clause of the standard
- Process by process
Prepare an audit checklist and an audit plan based on documentation review. The plan should include time allocations for each department and locations you will be visiting. The plan should include activities of meeting auditees, document verification, observations, testing, compiling the report, and follow-up meetings. You must develop an in-depth understanding of the requirements in the statement of applicability. Then communicate the audit plan and objectives in advance to auditees to avoid misunderstandings. The internal audit needs to involve all departments and employees responsible for information security. You need to check if the staff understands the security requirements of the ISMS, related to their work.
Example
The Human Resources department needs to ensure employee confidentiality, and secure recruitment, contracting, training, disciplinary, and termination procedures based on ISMS guidelines.
The IT teams need to perform periodic backups, implement security measures, and carry out system patching based on ISMS guidelines.
Customer services need to maintain customer confidentiality and follow service procedures.
The auditors need to verify that employees clearly understand the purpose of the ISMS, and why they have to do a task according to a defined procedure to ensure information security. The audit needs to find if the employees need additional training.
Auditing is not a disciplinary process. It must provide constructive feedback to auditees to improve the ISMS. Auditor's feedback can be provided during or after the meetings, or after compiling the report. It is important to share your findings with them, as well as answer any queries that they may have on auditing.
Agree on follow-up and corrective actions and time frames after the audit. They must be logged for future verification for effectiveness.
An internal audit performed for an ISMS to obtain ISO 27001 certification, ensure that you cover the following activities in the audit process.
Document review:
Conduct an in-depth document review of your ISMS, and become acquainted with the business and security processes. Find out if there are nonconformities in the documentation about ISO 27001.
Create a checklist :
This must be done as you are conducting the document review. Ensure you understand organization policies and procedures. Make notes of the specific requirements such as backup intervals, backup responsibilities, etc. The audit for compliance requires following this checklist.
Your checklist should include
1. Reference - to the policy, standard, or control,
2. What to look for in the verification
3 How to audit – what locations, which equipment, whom to speak to, questions to ask, records to look for, which process to observe, what records to check, etc.
4. Compliance – Yes or No
5 Findings – names of persons you spoke to, quotes of what they said, IDs and content of records you examined, description of facilities you visited, observations about the equipment you checked, etc.
Planning the main audit:
Create a plan to visit departments. Allocate time for meetings and focus areas of business functions that may have security requirements. List down security controls defined in the statement of applicability that you will audit.
Meeting people:
The audit process requires you to meet people, make observations of the processes, test them and verify security controls and records for compliance with ISMS requirements. Ask questions to ensure clarity and understanding. When doing interviews with employees, make sure to speak to a couple of people from the same process to examine whether they all perform the process in the same way. Open-ended questions are better than closed-end questions. Avoid using jargon. Use plain and simple language. When selecting record samples, do it yourself and ensure they are random and cover different areas. Make detailed notes of your findings to help write a precise report.
Audit report:
Your report will be the basis for performing corrective actions for ISMS. Agree on corrective actions and time frames which you will follow up on later. Corrective actions must be initiated for nonconformities identified during an internal audit. The internal audit report is a mandatory document according to ISO standards.
Follow-up work:
This involves checking corrective actions after the internal audit is completed. The internal audit only ends when nonconformities are closed.
Corrective Actions:
Before a full solution is implemented for corrective actions, ensure to take an action to solve the problem temporarily. A permanent fix requires identifying the root cause of the problem, after reviewing all of the symptoms. You need to get rid of the root cause to prevent a problem from happening again.
Niranjan Meegammana
Comments
Post a Comment